A More Secure World for Apps

Community Leader Devs+502 & JDuchess Chapter Guatemala Ex-JUG Member Guatemala Java Users Group (GuateJUG) Chief Technology Officer (CTO) at Produactivity Full Stack Developer

Mercedes Wyss @itrjwyss

Auth0 Ambassador & Oracle Developer Champion

Security is a Team Effort

Free Hamburgers

Once upon a time…

Once upon a time…

Free Hamburgers

What could go wrong?

What could go wrong? •

Layalty Programs are a Marketing Strategy



Don’t represent a loss for the company

BUT



They started to lose money for the Loyalty Program

What could go wrong? •

Layalty Programs are a Marketing Strategy



Don’t represent a loss for the company

BUT



They started to lose money for the Loyalty Program

What was wrong?

What was wrong? GET
 http://AmazingHamburguers.com/addPoints?user=qwer&code=7834


 GET
 http://AmazingHamburguers.com/register? [email protected]&password=q1w2e3r4t5y6


 GET
 http://AmazingHamburguers.com/login? user=qwer&password=q1w2e3r4t5y6

What was wrong? Exposed Params



GET
 http://AmazingHamburguers.com/addPoints?user=qwer&code=7834

HTTP Method



GET
 http://AmazingHamburguers.com/register? [email protected]&password=q1w2e3r4t5y6

SSL/TLS Absence

GET
 http://AmazingHamburguers.com/login? user=qwer&password=q1w2e3r4t5y6

What was wrong? •

Emails, Password and Codes were exposed



A company lost money



Someone lost his job

How to solve this issue?

How to solve this issue? •

Use an information exchange protocol, like JSON



Use a different HTTP Method than GET, like POST



Use SSL/TLS certificate

How to solve this issue? •

POST
 https://AmazingHamburguers.com/ addPoints?
 
 {
 “user”:”qwer”,
 “code”:7834
 }

How to solve this issue? •

POST
 https://AmazingHamburguers.com/ addPoints?
 
 {
 “user”:”qwer”,
 “code”:7834
 }

With SSL/TLS
 Will travel encrypted

Human Verification

reCAPTCHA

Create the Site

Create the Site

Adding Dependency

reCAPTCHA SafetyNet.getClient(this).verifyWithRecaptcha("6LdDHU8UAAAAAK6y7GYEPQH8_svKQfQmFvk_c6pA") .addOnSuccessListener(this) { response -> if (!response.tokenResult.isEmpty()) { Log.d(TAG, "TokenResult: " + response.tokenResult) } } .addOnFailureListener(this) { e -> if (e is ApiException) { Log.d(TAG, "Error message: " + CommonStatusCodes.getStatusCodeString(e.statusCode)) } else { Log.d(TAG, "Unknown type of error: " + e.message) } }

reCAPTCHA SafetyNet.getClient(this).verifyWithRecaptcha("6LdDHU8UAAAAAK6y7GYEPQH8_svKQfQmFvk_c6pA") .addOnSuccessListener(this) { response -> if (!response.tokenResult.isEmpty()) { Log.d(TAG, "TokenResult: " + response.tokenResult) Verify the result } } .addOnFailureListener(this) { e -> if (e is ApiException) { Log.d(TAG, "Error message: " + CommonStatusCodes.getStatusCodeString(e.statusCode)) } else { Log.d(TAG, "Unknown type of error: " + e.message) } }

reCAPTCHA

reCAPTCHA

reCAPTCHA

reCAPTCHA

“Convenience Over Security”

What was wrong?



Was storing data about users in plain text and locally on a device (public access)



Emails, Passwords and geolocation data

What was wrong?

• •

Public Access

Was storing data about users in plain text and locally on a device (public access)

Unencrypted Emails, Passwords and geolocation data

Data

How to solve this issue?

How to solve this issue? •

Save the information so that only our application has access to it.



SharedPreferences



Storage (Internal)

Shared Preferences SharedPreferences sharedPref = context.getSharedPreferences( getString(R.string.preference_file_key), Context.MODE_PRIVATE);

SharedPreferences.Editor editor = sharedPref.edit(); editor.putString(getString(R.string.id), id); editor.commit();

sharedPref.getString(getString(R.string.id), defaultValue);

Shared Preferences SharedPreferences sharedPref = context.getSharedPreferences( getString(R.string.preference_file_key), Context.MODE_PRIVATE); Restrict Access

SharedPreferences.Editor editor = sharedPref.edit(); editor.putString(getString(R.string.id), id); editor.commit();

sharedPref.getString(getString(R.string.id), defaultValue);

only to my App

Internal Storage •

By default those files are accessible only to your app.

File file = new File(context.getFilesDir(), filename);

Internal Storage String filename = "myfile"; String string = “The email, The password”; FileOutputStream outputStream; try { outputStream = context.openFileOutput(filename, Context.MODE_PRIVATE); outputStream.write(string.getBytes()); outputStream.close(); } catch (Exception e) { e.printStackTrace(); }

We can encrypt the information

Java Cryptography Architecture

AndroidKeyStore •

Java Cryptography Implementaion



Key material may be bound to the secure hardware (Trust Zone)



Asymmetric keys from 18+



Symmetric keys from 23+

Cipher

Cryptography Process

Cipher fun encrypt(data: String, key: Key?): String { cipher.init(Cipher.ENCRYPT_MODE, key) val bytes = cipher.doFinal(data.toByteArray()) return Base64.encodeToString(bytes, Base64.DEFAULT) }

Cipher fun decrypt(data: String, key: Key?): String { cipher.init(Cipher.DECRYPT_MODE, key) val encryptedData = Base64.decode(data, Base64.DEFAULT) val decodedData = cipher.doFinal(encryptedData) return String(decodedData) }

Security Myth

Security Myth •

“Is it better for mobile apps to be easy-to-use, or secure?”



User Friendly vs Security



Permanent open session



OAuth (2006, 2010)

Bad API Design

Bad API Design

Username Password

OAuth Client

OAuth Server

Backend Server

Client

OAuth Server

Backend Server

Is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmF tZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRy dWV9.TJVA95OrM7E2cBab30RMHrHDc Claims EfxjoYZgeFONFh7HgQ

JSON Web Signature
 JWT + JWS

Signature Algorithms

Exploring JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 . eyJqdGkiOiI1MWQ4NGFjMS1kYjMxLTRjM2ItOTQwOS1lNjMwZWJiYj gzZGYiLCJ1c2VybmFtZSI6Imh1bnRlcjIiLCJzY29wZXMiOlsicmVw bzpyZWFkIiwiZ2lzdDp3cml0ZSJdLCJpc3MiOiIxNDUyMzQzMzcyIi wiZXhwIjoiMTQ1MjM0OTM3MiJ9 . cS5KkPxtEJ9eonvsGvJBZFIamDnJA7gSz3HZBWv6S1Q

How Works the Signature? { } . {

"alg": "HS256", "typ": "JWT"

"jti": "51d84ac1-db31-4c3b-9409-e630ebbb83df", “sub": "hunter2", "scopes": ["repo:read", "gist:write"], "iss": "1452343372", "exp": "1452349372"

} . HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )

Registered Claims iss

The issuer of the token

sub

The subject of the token

aud

The audience of the token

exp

The expiration in NumericDate value

nbf

sbt configuration files

iat

The time the JWT was issued

jti

Unique identifier for the JWT

Registered Claims iss

The issuer of the token

sub

The subject of the token

aud

The audience of the token

exp

The expiration in NumericDate value

nbf

sbt configuration files

iat

The time the JWT was issued

jti

Unique identifier for the JWT

Registered Claims iss

The issuer of the token

sub

The subject of the token

aud

The audience of the token

exp

The expiration in NumericDate value

nbf

sbt configuration files

iat

The time the JWT was issued

jti

Unique identifier for the JWT

What problems does JWT solve? •

Authentication



Authorization



Federated Identity



Information Exchange



Client-side Sessions (“stateless” sessions)



Client-side Secrets

What problems does JWT solve? •

Authentication



Authorization



Federated Identity



Information Exchange



Client-side Sessions (“stateless” sessions)



Client-side Secrets

Client

Server

Auth0 (June 2017) h/ps://cdn.auth0.com/content/jwt/jwt-diagram.png

Client

Server

Authentication Process

Auth0 (June 2017) h/ps://cdn.auth0.com/content/jwt/jwt-diagram.png

Client

Server

Authorization Process

Auth0 (June 2017) h/ps://cdn.auth0.com/content/jwt/jwt-diagram.png

Fail Encryption

What happenned? {
 "accountName":"Mercedes Wyss",
 “accountNumber":"1234567890"
 }

What happenned? {
 "accountName":"Mercedes Wyss",
 “accountNumber":"1234567890"
 }

JjLYWa7gFBj7JVNogMTp37z24NQ74dYy6b8u5N8FO9NmyQeg YVAuM17Duumvz9yLsHiz/RusnmelZgHol1QVKkl84pBt8bJm7/ e9qjY+dTc=

What happenned? {
 "accountName":"Mercedes Wyss",
 “accountNumber":"1234567890"
 } {
 "accountName":"5cPRRpp/bUkcnNZ6CZ6efg==",
 “accountNumber":"yPGQm/a6y1My3IBHnpQEVA=="
 }

What could go wrong?

What could go wrong? {
 "accountName":"Mercedes Wyss",
 “accountNumber":"1234567890"
 } {
 "accountName":"5cPRRpp/bUkcnNZ6CZ6efg==",
 “accountNumber":"yPGQm/a6y1My3IBHnpQEVA=="
 }

What could go wrong? {
 "accountName":"Mercedes Wyss",
 “accountNumber":"1234567890"
 } Unencrypted and Encripted values

{
 "accountName":"5cPRRpp/bUkcnNZ6CZ6efg==",
 “accountNumber":"yPGQm/a6y1My3IBHnpQEVA=="
 }

Reverse Engineering

Reverse Engineering {
 "accountName":"Mercedes Wyss",
 “accountNumber":"1234567890"
 } Unencrypted and Encripted values

{
 "accountName":"5cPRRpp/bUkcnNZ6CZ6efg==",
 “accountNumber":"yPGQm/a6y1My3IBHnpQEVA=="
 }

What went wrong?



If I have the encrypted and unencrypted values, I can found the Secret Key and Encryption Algorithm

JSON Web Encryption JWE

JSON Web Encryption •

The JWE Protected Header



The JWE Encrypted Key



The JWE Initialization Vector



The JWE Ciphertext



The JWE Authentication Tag

eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ. OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL 9kiMT03JGeipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb 23nfa6c9dStnImGyFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lD p5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv2322ivDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je81860ppam avo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brG Pi6UklfCpIMfIjf7iGdXKHzg. 48V1_ALb6US04U3b. 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFS hS8iB7j6jiSdiwkIr3ajwQzaBtQD_A. XFBoMYUZodetZdvTiFvSkQ



This JWE employs RSA-OAEP for key encryption and A256GCM for content encryption

JWE Protected Header

Identity Management

Firebase Auth •

Anonymous Authentication



Management (name, email, photoURL, password)



Multiple Auth Providers (Federated Identity)



Passwordless (email link, phone number)

Auth0 •

Management (I can define the info)



Define roles



More extensible Federated Identity, Passwordless



Multifactor Authentication

Password Nightmare

Password Nightmare The password must be contain



At least one numerical character



At least one uppercase character



At least one lowercase character



At least one symbol



At least one hieroglyph



The blood of a virgin



The horn of a unicorn

Password Nightmare •

Wrong password!!!



Wrong password!!!



Me: Recovery and Change Password



You need to use a different password than the previous one

Password Nightmare •

Wrong password!!!



Wrong password!!!



Me: Recovery and Change Password



You need to use a different password than the previous one

Passwordless & Federated Identity

Passwordless •

Passwordless Authentication is a type of authentication where users do not need to login with passwords.



Authentication with a magic link via email



Authentication with a one-time code via email



Authentication with a one-time code via SMS



Authentication with Fingerprint

Passwordless by Email

Passwordless by Code

Passwordless by Fingerprint

Federated Identity



Authenticate throw Federated Identities like Facebook, Twitter, Google.

Federated Identity - Firebase

Federated Auth0

Federated Auth0

Federated Auth0

Federated Auth0

Federated Auth0

https://github.com/itrjwyss/Journey18 https://www.facebook.com/itrjwyss @itrjwyss

Is it better for mobile apps to be easy-to-use, or secure? - GitHub

Page 1. A More Secure World for Apps. Page 2. Mercedes Wyss. @itrjwyss. Community Leader. Devs+502 & JDuchess Chapter Guatemala. Ex-JUG Member. Guatemala Java ..... Page 79. JSON Web Encryption. • The JWE Protected Header. • The JWE Encrypted Key. • The JWE Initialization Vector. • The JWE ...
Download PDF
9MB Sizes 21 Downloads 254 Views
Report

Recommend Documents

No documents